Policy paper

Rural Payments Agency Data Protection Policy

Updated 27 March 2025

1. Policy summary

The Rural Payments Agency (RPA) Data Protection Policy sets out our commitment to:

• comply with data protection law

• protect the rights of our people and the public

• be transparent about how we collect, store and process personal information

• protect ourselves from the risks of a data breach

This policy outlines the responsibilities and behaviour expected to ensure we fulfil our obligations under the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

The policy applies to all processing of personal data carried out by RPA. This includes processing carried out by joint controllers, contractors, and processors.

2. Data protection principles

Data protection law covers how personal data is sourced, stored, managed, used, and disposed of.

Personal data represents characteristics of individuals and can be used to make decisions that will affect people’s lives. Personal data is protected because:

• potential misuse could lead to a negative impact on individual people (data subjects) and organisations

• data has an economic value and legislation controls who, how and for what purpose that value can be accessed

This policy ensures that we comply with the data protection principles. These principles state that personal data must be:

• processed fairly, lawfully and transparently

• used only for limited, specified stated purposes and not used or disclosed in any way incompatible with those purposes

• adequate, relevant and limited to what is necessary

• accurate and kept appropriately up to date

• retained for no longer than necessary

• kept safe and secure within technical and organisational environments as part of our Information Governance Model

We are also committed to being responsible, accountable and able to show evidence of compliance for our processing of personal data, as required by the UK GDPR (known as the accountability principle).

3. Policy coverage

We take our responsibility for handling personal data very seriously and take every reasonable step to ensure that personal information is collected, retained, and otherwise processed in a lawful manner. We ensure the rights of data subjects are upheld.

We process the personal data of a wide range of individuals including (but not limited to):

• members of the public

• businesses

• our people

• contractors

We process this personal data in accordance with data protection law, including DPA 2018 and UK GDPR. This policy provides a general statement of how we meet our legal obligations and covers how we collate, manage, use and dispose of personal data.

4. Roles and responsibilities

We have teams and individuals with specific roles and responsibilities to ensure we comply with data protection law.

4.1 Information Governance Model

Brings together policies, procedures and guidance on our application of data protection legislation.

Our information governance is further informed by the Information Commissioner’s Office’s (ICO) Accountability Framework. This enables us to assess our compliance with legislation.

4.2 Information Asset Owner (IAO)

Plays a specialist role in ensuring the Information Governance requirement is being met by their people in their area.

We have assigned Information Asset Owners (IAO) to each directorate and significant function. They are leaders responsible for managing the risks to personal information, and business critical information held within a department. Ensuring information is processed with due care and diligence, and that their people are familiar with the data protection procedures and processes.

4.3 Security Risk Owner (SRO)

Is ultimately accountable for ensuring the risk to personal information is managed appropriately.

4.4 Information Governance Business Unit Group (IGBUG)

Along with the practitioners, the IAOs meet quarterly at the Information Governance Business Unit Group (IGBUG). The IGBUG reports to both the SRO for accountability and the Finance and Assurance Subcommittee (FASC) for assurance.

4.5 Defra Data Protection Officer (DPO)

As the delivery agency for the Department for Environment, Food and Rural Affairs (Defra), RPA is also accountable to the Defra Data Protection Officer (DPO). The Defra DPO advises on and monitors compliance with data protection law.

4.6 RPA Data Protection Practitioner (DPP)

Acts as a local point of contact to liaise with the Defra DPO.

There are further governance roles which are described as follows.

4.7 Audit and Risk Assurance Committee (ARAC)

Advises the Accounting Officer on strategic process for risk, control, and governance. This includes data protection risk and compliance. Regular reporting to the Audit and Risk Assurance Committee (ARAC) includes updates from each IGBUG on information risk and cyber security, and any reports of breaches.

4.8 Executive Team (ET)

Supports the Chief Executive in leading RPA to deliver its strategy and business plan. The Executive Team (ET) includes data protection in strategic priorities and upholds an information governance culture. ET oversees the functions and responsibilities on data protection.

4.9 Our People

We expect our employees to:

• understand and follow this policy

• take part in training as required so they know their obligations and RPA’s liabilities

• know how to recognise a personal data breach and unauthorised processing

• ask questions about data protection when in doubt and raise any concerns with their IAO

• report any suspected personal data breaches without delay

5. Practices

We have specific practices and procedures to ensure we comply with data protection law.

5.1 Special category data and other sensitive information

We acknowledge that some personal data is more sensitive and must be given greater protection. This is personal data about:

• race or ethnic origin

• political opinions

• religious or philosophical beliefs

• trade union membership

• genetic data

• biometric identification

• health

• sexual life, sexual orientation, or both

• criminal records (convictions and offences)

We process special category data and criminal offence data under the requirements of Article 9 and 10 of the UK GDPR, and Schedule 1 of the DPA 2018. There is a separate policy for special category data.

We only process personal data, including special category data, under one or more of the given processing conditions. This applies to personal data in all formats, including photographs, video recordings and other imagery.

5.2 Data protection impact assessments

RPA will undertake a Data Protection Impact Assessment (DPIA) when introducing a new processing activity that is likely to result in a high risk to the rights and freedoms of individuals. The DPIA will identify and mitigate those risks. Where necessary, guidance will be sought from the Data Protection Officer. Where the DPIA indicates that the risk remains high after attempting mitigation, we will consult the ICO.

5.3 Data protection by design and by default

We have adopted the concepts of data protection by design and by default into all our processing activities. Project processes are in place to ensure compliance and privacy by design is integral to any product, project or service offered by us.

5.4 Children and vulnerable adults

We provide extra protection for the personal data of children and vulnerable adults. Someone who is vulnerable may be unable to freely consent or object to the processing of their data.

When processing data relating to children and vulnerable adults, we will:

• complete a DPIA

• provide a separate privacy notice which is understandable to a child, which sets out their rights and what we do with their data

• make reasonable efforts to ensure that anyone who provides their own consent is at least 13 years old

5.5 Transparency

We will make sure data is processed lawfully and fairly and is accountable under UK GDPR. All processing must have one of the lawful bases set out in the UK GDPR. Each lawful basis allows an individual to have certain rights related to their personal data. These include the right to be informed about how their data is being used (such as transparency).

When obtaining data direct from the data subject, we provide a privacy notice at the point of data capture. When obtaining data through third party sources, we provide a privacy notice within one month. The privacy notice will specify and make explicit the purpose of data collection and details of processing. We will track any changes or updates to privacy notices. This is so we can demonstrate that we process personal data in a transparent manner.

For the context of personal information processing activities, please see RPA’s Personal Information Charter and privacy notices.

5.6 Record of processing activities

We log personal data collection by processing theme in the Record of Processing Activities (RoPA). The RoPA links data processing themes to the privacy notices. We record retention periods for data in the RoPA, in line with Defra’s Knowledge Information Management (KIM) policies. It is available to employees for reference, and IAOs collaborate in its upkeep.

5.7 Security

We store and process personal data in a way that ensures security of that data. This includes protection against unauthorised or unlawful processing, accidental loss, destruction, or damage. We use a combination of technical and organisational measures to do this.

Personal data is held in information technology (IT) systems in accordance with the Defra Group Security Policies. In particular:

• access to personal data is restricted in line with the Government Security Classification

• special category data is identified and treated accordingly, with the Data Protection Practitioner notified in every case

• personal data is processed in a way so that a specific person cannot be identified (pseudonymise) when sharing that data creates a higher degree of risk

5.8 Information governance training

Through training, guidance and continuous assessment we create a culture of awareness and care for personal data. All our people must undertake annual mandatory Security and Data Protection training. We provide that training online through Civil Service Learning (CSL). The training module is approved by the Information Commissioner. This enables our employees to identify the personal data required for a task which ensures they are collecting adequate and relevant information. The training will:

• show how to recognise a security incident and a personal data breach, and what steps to take in response

• make use of a variety of technologies and delivery methods

• evolve to reflect current ways of working and threats

• be designed for a general audience so it’s relevant to all our employees whether they are office or field based

• be promoted through internal communications

There is an assessment at the end of the training which all employees must complete. Completing the assessment will show their understanding of the mandated course outcomes.

5.9 Further training and awareness for senior roles

Our data protection team delivers extra training to the IAOs. This ensures privacy of individual’s data and increases risk awareness. Further embedding a culture of data protection by design and by default.

6. Rights of individuals

The law gives individuals (data subjects) greater control over their personal information. As such, you have the following rights:

The right to be informed

• about how we collect and use your personal data

The right of access

• to ask for a copy of the personal data we hold about you, this is known as a subject access request (SAR)

The right of erasure

• to request that we delete personal data held on you where we no longer have a legal reason to keep it

The right to rectification

• to ask us to update and correct any out-of-date or incorrect personal data that we hold about you

The right to object

• to opt out of any marketing communications that we may send you and to object to us using or holding your personal data if we do not have a legitimate reason to do so

The right to restrict processing

• to ask us (in certain circumstances) to restrict the processing of data, which means that we would need to secure and keep the data for your benefit, but not otherwise use it

The right to data portability

• to ask us (in certain circumstances) to supply you with some of the personal data we hold about you in a structured format or provide a copy of that data to another organisation

Rights relating to automated decision-making including profiling

We do not use any wholly automated decision-making at present. If this changes, we will carefully consider the use. We would ensure we collect only the minimum data required. We would assign retention labels to any profiles created for automated decision-making. We would carry out extra checks for vulnerable groups such as children.

7. Individual complaints

If you have any concerns about how we use your personal data, please read how to get in touch or make a complaint.

8. Accountability

We are accountable to the data subjects whose data we process. We are also accountable to the ICO as the Supervisory Authority in the United Kingdom. We will show our commitment to good data protection practice by following the steps outlined in this policy.

9. Publishing, reviewing and monitoring

Publication date: April 2024

Version: 2.0

Author: Data Protection & Governance (DP&G)

Review period: Annual

The policy is scheduled to be reviewed again during April 2025 unless significant developments in either RPA or the law necessitate that this be brought forward.

Compliance with the policy will be monitored via the Data Protection Practitioner and the SRO reporting to ET and the ARAC as required.

10. Recommended further reading

Read this policy together with the following documents:

• Appropriate Policy Document: Special Category Personal Data and Criminal Offence Data

• Appropriate Policy Document: Sensitive Processing For Law Enforcement Purposes

You can find these documents on the Data Protection Policy page. You may also be interested in RPA’s Personal Information Charter.